* First in a series on writing and publishing security policies In this short series of articles, I am updating materials I wrote for Chapter 28 (“Security Policy Guidelines”) of _The Computer Security Handbook, 4th Edition_ . This first column starts with recommendations on how to frame security policies.How should one write security policies? Should they be suggestions? Orders? Positive? Negative? I think that policies should be definite, unambiguous and directive. In addition, all policies should have (preferably optional) explanations for the reasons behind them.Orientation: Prescriptive and proscriptiveSecurity policies should be written with clear indications that all employees are expected to conform to them. Language should be definite and unambiguous; for example, “All employees must…” or “No employees shall…” Some policies require people to do something – these are _prescriptive_; for example, “Employees must follow the password procedures defined by the Information Protection Group at all times.”Other policies prohibit certain actions – these are _proscriptive_; for example, “No employee shall make or order illegal copies of proprietary software under any circumstances.” Writing styleEach policy should be short. Simple declarative sentences are best; writers should avoid long compound sentences with multiple clauses. Details of implementation are appropriate for standards and procedures, not for policies. Policies can refer users to the appropriate documents for implementation details; for example, “Passwords shall be changed on a schedule defined in the _Security Procedures_ from the Information Protection Group.”ReasonsFew people like to be ordered about with arbitrary rules. Trying to impose what appear to be senseless injunctions can generate a tide of rebellion among employees. It is far better to provide explanations of why policies make sense for the particular enterprise; however, such explanations can make the policies tedious to read for more experienced users. A solution is to provide optional explanations. One approach is to summarize policies in one part of the document and then to provide an extensive expansion of all the policies in a separate section or a separate document. Another approach is to use hypertext, as explained in an article to follow. Related content how-to Doing tricks on the Linux command line Linux tricks can make even the more complicated Linux commands easier, more fun and more rewarding. By Sandra Henry-Stocker Dec 08, 2023 5 mins Linux news TSMC bets on AI chips for revival of growth in semiconductor demand Executives at the chip manufacturer are still optimistic about the revenue potential of AI, as Nvidia and its partners say new GPUs have a lead time of up to 52 weeks. By Sam Reynolds Dec 08, 2023 3 mins CPUs and Processors Technology Industry news End of road for VMware’s end-user computing and security units: Broadcom Broadcom is refocusing VMWare on creating private and hybrid cloud environments for large enterprises and divesting its non-core assets. By Sam Reynolds Dec 08, 2023 3 mins Mergers and Acquisitions news analysis IBM cloud service aims to deliver secure, multicloud connectivity IBM Hybrid Cloud Mesh is a multicloud networking service that includes IT discovery, security, monitoring and traffic-engineering capabilities. By Michael Cooney Dec 07, 2023 3 mins Network Security Cloud Computing Networking Podcasts Videos Resources Events NEWSLETTERS Newsletter Promo Module Test Description for newsletter promo module. Please enter a valid email address Subscribe